Report: China hijacked U.S.

Internet data
A Chinese state-run telecom provider was the source of the redirection of U.S. military and corporate data that occurred this past April, according to excerpts of a draft report sent to CNET by the U.S.-China Economic and Security Review Commission .

The current draft of the U.S. -China Economic and Security Review Commission's (USCC's) 2010 annual report, which is close to final but has not yet been official ly approved, finds that malicious computer activity tied to China continues to persist following reports early this year of attacks against Google and other companies from within the country. In several cases, Chinese telecommunications firms have disrupted or impacted U.S. Internet traffic, according to the excerpts. On March 24, Web traffic from YouTube, Twitter, Faceb ook, and other popular sites was temporarily affected by China's own internal censorship system , sometimes known as the Great Firewall. Users in Chile and the United States trying to reach those sites were diverted to incorrect servers or encountered error messages indicating that the sites did not exist. The USCC report said it was as if users outside China were trying to access restricted sites from behind China's Great Firewall. Then on April 8, a large number of routing paths to various Internet Protocol addresses were redirected through networks in China for 17 minutes. The USCC identified China's state owned telecommunications firm China Telecom as the source of the "hijacking." This diversion of data would have given the operators of the servers on those networks the ability to read, delete, or edit e -mail and other information sent along those paths. The April incident affected traffic to and from U.S. government and military sites, including sites for the Senate, the Army, the Navy, the Marine Corps, the Air Force, and the office of the Secretary of Defense, the USCC said. Rodney Joffe, senior technologist at Domain Name System registry Neustar, also confirmed in a recent interview with CNET that the data diverted to China came from Fortune 500 companies and many branches of the U.S. government. Evidence didn't clearly indicate whether this diversion of data was done intentionally or for what purpose, according to the USCC. But the capability alone raises a red flag. "Although the commission has no way to determine what, if anything, Chinese telecommunications firms did to the hijacked data, incidents of this nature could have a number of serious implications," said the report excerpts. "This level of access could enable surveillance of specific users or sites. It could disrupt a data transaction and prevent a user from establishing a connection with a site. It could even allow a diversion of data to somewhere that the user did not intend (for example, to a 'spoofed' site )." The report also commented on an incident in April in which a China-based spy network was accused of targeting government departments, diplomatic missions, and other groups in

India. The activity, which also compromised computers in at least 35 other countries, including the U.S., grabbed sensitive documents from the Indian government. Though the USCC could not definitively link this incident to the Chinese government, the authors of the report do believe there's an "obvious correlation to be drawn between the victims, the nature of the documents stolen, and the st rategic interests of the Chinese state." The excerpts did note some positive news --2010 could be the first year over the past decade that shows a smaller number of logged threats against defense and military networks. This doesn't necessarily mean that the number of attempts have decreased. Instead, the report cites the Defense Department's assertion that its own defensive measures over the past year have prevented a larger number of threats. The U.S.-China Economic and Security Review Commission was set up by Congress in 2000 to analyze the national security issues involved in trade and an economic relationship between the U.S. and China.

Read more: http://news.cnet.com/8301 -1009_3-20020461-83.html#ixzz1MzGUibEX

FACTS OF THE ATTACK The attacks used command-and-control servers based in Taiwan that are commonly used by or on the behalf of the Chinese government, according to iDefense. "The IP addresses used to launch the att acks are known to be associated with previous attacks from groups that are either directly employed agents of the Chinese state or amateur hackers that are proxies for them that have attacked other U.S. companies in the past, said:( Eli Jellenc, head of international cyberintelligence at iDefense. ) The attacker typically sends an e-mail to a specific administrator or other worker inside a company, often camouflaged as someone the recipient knows. If the recipient opens the attachment, the malware is dropped onto the target computer from where it can be remotely controlled to steal data, access sensitive parts of the network, or even launch an attack on other computers. With this, the attacker was able to lunch series of attacks to Google and it s affiliates. CLASSIFICATION OF THE ATTACK The attack was a network-based attack, Individuals at the agencies affected received e mails that led to malware and most of the malware samples collected by the researchers were PDFs that exploited ho les in Adobe Acrobat and Reader . Accounts on Twitter, Yahoo Mail, Google Groups, Blogspot and other social -networking sites were used to update compromised computers and to host malware, according to the report. Vulnerabilities That Were Exploited Sharing; was the main vulnerability of this attack. Because this network enabled resource and workload sharing, more users had the potential to access these networked systems than a single computer. Also, a newly discovered vulnerability in Internet Explorer was used in the attacks. Initially, malicious PDFs targeting a hole in Adobe Reader were suspected to be culprits, but Adobe said that it has no evidence that is the case. Coincidentally, Adobe patched a so-called "zero-day hole" in Reader and Acrobat that was discovered in mid-December and had been exploited in attacks in the wild to deliver Trojan horse programs that install backdoor access on computers. In addition, the exploits used in the attacks we re not generated from freely available tools or publicly posted code, but appeared to have access to kits that allow the attackers to create exploit files on the Trojan that install the malware Cartegory of Attack It is possible the attackers used "multip le exploits and multiple, tailor -made Trojans for different targets, Meanwhile, Texas -based hosting provider Rackspace confirmed that a server at the company had been compromised and used in the attacks. INFORMATION CHARACTERISTICS THAT WERE VOILATED
y y y y

Interception of data in traffic Running a program at a remote host Accessing data or programs at remote hosts Inserting communications impersonating a user

Blocking selected traffic

DETAILS Google said some intellectual property was stolen but did not elaborate. The company also said limited account information of two Gmail users was accessed. Apparently they were able to access a system used to help Google comply with search warrants by providing data on Google users," referred to as an "internal intercept" system. The data stolen from the compromised agencies includes about 1,500 letters sent from the Dalai Lama's office between January and November 2009, reports on missile systems in India, and documents related to NATO force movements in Afghanistan. Specifically, one of the main DNS root servers, called the I Root Server and operated in Sweden, was directing visitors trying to go to those sites instead to servers in China. This effectively sent people behind the Great Firewall of China, a strictly controlled network of servers and routers the People's Republic of China uses to filter the Internet and block its citizens from accessing content deemed politically sensitive. Representatives from Twitter and Facebook did not report on the effects of the attack on them. A spokesman for Google, which owns YouTube, declined to comment, saying "this appears to be a specific ISP level issue." He said it was not related to Google's E nglish-language corporate site appearing in Chinese, Danish, and other languages which the company attributed to a virus. There will no doubt be speculation that the DNS mix -up is related to tensions among Google, the United States, and China over Google' s claim that its network and Gmail users who are human rights activists were targeted late last year by the attacks. In a highly public action Google moved its Google.cn site to Hong Kong. "For a long time, we have believed that China modifies DNS answers ; no surprise there," Rodney Joffe, a senior vice president at DNS service provider Neustar, told CNET in an interview late Thursday. They do it because they want to make sure that, for example, people inside China are subject to the censorship. But what was a surprise, he said, was that a server inside of China was able to redirect Web traffic to servers inside that country. EFFECTS OF THE ATTACK As a result, Internet users around the world trying to go to those three popular U.S. -based social-networking sites, as well as to as many as 20 or 30 other sites, were either being redirected to alternative sites offered in China or saw error mes sages indicating that the sites they were seeking did not exist, Joffe said. He declined to name any other Web sites t hat were affected. COUNTERMEASURES Although these attacks targeted corporations, consumer computers can be targeted in the same way. Computer users should be wary of opening attachments or clicking on links in e mails from people they don't know or that we re unsolicited. People should keep their antivirus and security software up to date, as well as use the latest versions of operating

system and application software on their machines, and install patches. There are also programs, like AVG Link-scanner that can protect people from visiting sites hosting malware. To avoid scams, people should contact companies directly to verify that a suspicious e -mail is legitimate, not give out personal information requested in e -mail and change passwords frequently. Furthermore, if the following are put into effective practice will counteract the success of such hacker attacks.
y y y y y

Cryptographic protection against spoofing Limited period of validity should be given to users Timestamps to prevent relay attacks and traffic padding. Authentication of servers with intrusion detection systems. Criminal and legal penalties could also be used as a preventive measure.

REFERENCES
y y

Security in Computing; Charles P. Pfleeger, Shari Lawrence (2006), Fouth Edition; Unisza Library; Shelf QA 76.9. A25. P45. http://news.cnet.com/8301 -1009_3-20020461-83.html#ixzz1MzGUibEX

FACULTY INFORMATIC PROGRAMME

BACHELOR OF COMPUTER SCIENCE (HONS) (SOFTWARE DEVELOPMENT)

ASSIGNMENT 1 Network security TKE 4263

LECTURER Miss Nazirah bt Abdul Hamid

SUBMITTED BY: Nurudeen Sherif 028447

DATE OF SUBMISSION 25/May/2011